Preparing for doomsday has its own rich history in this country, and predictions of the apocalypse are hardly new to people of my generation. We lived for decades with the assumption that nuclear war with the Soviet Union was a real possibility. We learned some useful lessons. (We’ll ramble through the age of bomb shelters and civil defense in a later chapter.) Ultimately, Moscow and Washington came to the conclusion that mutual assured destruction, holding each other hostage to the fear of nuclear reprisal, was a healthier approach to coexistence than mass evacuation or hunkering down in our respective warrens of bomb shelters in the hopes of surviving a nuclear winter.
We are living in different times. Whether the threat of nuclear war has actually receded or whether we’ve simply become inured to a condition we cannot change, most of us have finally learned “to stop worrying and love the bomb.” In reality, though, the ranks of our enemies, those who would and can inflict serious damage on America, have grown and diversified. So many of our transactions are now conducted in cyberspace that we have developed dependencies we could not even have imagined a generation ago. To be dependent is to be vulnerable. We have grown cheerfully dependent on the benefits of our online transactions, even as we observe the growth of cyber crime. We remain largely oblivious to the potential catastrophe of a well-targeted cyberattack.
On one level, cyber crime is now so commonplace that we have already absorbed it into the catalogue of daily outrages that we observe, briefly register, and ultimately ignore. Over the course of less than a generation, cyber criminals have become adept at using the Internet for robbery on an almost unimaginable scale. Still, despite the media attention generated by the more dazzling smash-and-grab operations, the cyber criminals whose only intention is to siphon off wealth or hijackseveral million credit card identities should have a lower priority among our concerns. Their goal is merely grand larceny.
More worrisome is the increasing number of cyberattacks designed to vacuum up enormous quantities of data in what appear to be wholesale intelligence gathering operations. The most ambitious of these was announced on June 4, 2015, and targeted the Office of Personnel Management, which handles government security clearances and federal employee records. The New York Times quoted J. David Cox Sr., the president of the American Federation of Government Employees, as saying the breach might have affected “all 2.1 million current federal employees and an additional two million federal retirees and former employees.” FBI director James Comey told a Senate hearing that the actual number of hacked files was likely more than ten times that number—22.1 million. Government sources were quoted as claiming that the intrusion originated in China. The Times report raises a number of relevant issues:
The probe was initiated at the end of 2014. It wasn’t discovered until April of 2015. It is believed to have originated in China, but the Chinese government denied the charge, challenging U.S. authorities to provide evidence. Producing evidence would reveal highly classified sources and methods. “The most sophisticated attacks,” the Times noted, “often look as if they were initiated inside the United States, and tracking their true paths can lead down many blind paths.” All of these issues will receive further attention in later chapters. But as disturbing as these massive data collection operations may be, even they do not come close to representing the greatest cyber threat. Our attention needs to be focused on those who intend widespread destruction.
The Internet provides instant, often anonymous access to the operations that enable our critical infrastructure systems to function safely and efficiently. In early March 2015 the Government Accountability Office issued a report warning that the air traffic control system is vulnerable to cyberattack. This, the report concluded with commendable understatement, “could disrupt air traffic control operations.” Our rail system, our communications networks, and our healthcare system are similarly vulnerable. If, however, an adversary of this country has as its goal inflicting maximum damage and pain on the largest number of Americans, there may not be a more productive target than one of our electric power grids.
Electricity is what keeps our society tethered to modern times. There are three power grids that generate and distribute electricity throughout the United States, and taking down all or any part of a grid would scatter millions of Americans in a desperate search for light, while those unable to travel would tumble back into something approximating the mid-nineteenth century. The very structure that keeps electricity flowing throughout the United States depends absolutely on computerized systems designed to maintain perfect balance between supply and demand. Maintaining that balance is not an accounting measure, it is an operational imperative. The point needs to be restated: for the grid to remain fully operational, the supply and demand of electricity have to be kept in perfect balance. It is the Internet that provides the instant access to the computerized systems that maintain that equilibrium. If a sophisticated hacker gained access to one of those systems and succeeded in throwing that precarious balance out of kilter, the consequences would be devastating. We can take limited comfort in the knowledge that such an attack would require painstaking preparation and a highly sophisticated understanding of how the system works and where its vulnerabilities lie. Less reassuring is the knowledge that several nations already have that expertise, and—even more unsettling—that criminal and terrorist organizations are in the process of acquiring it.
Excerpted from Ted Koppel’s New Book: “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath.”